Hacker-powered security platform, HackerOne announced the next evolution of the Internet Bug Bounty (IBB) program. HackerOne stated that the mission of the Internet Bug Bounty program is to secure open-source by pooling funding and incentivizing security professionals to report vulnerabilities. The renewed program provides a new pooled funding model allowing organizations to leverage the IBB to secure open-source dependencies.
New funding model and unified program
Organizations that rely on open-source for software supply chains and digital infrastructure are participating partners, along with HackerOne. The program has already made progress with over 1,000 flaws uncovered in open source projects since its initial launch in 2013, leading to $900,000 in bounties awarded to nearly 300 hackers. The new funding model and unified program improve incentives for partners, maintainers, and hackers. The new program makes three key changes to the original IBB:
- Pooled defenses from existing bounty programs – HackerOne customers will be able to leverage the IBB to secure open source components within their enterprise’s supply chain, by pooling 1-10% of their existing HackerOne bug bounty spend with others that share their risk.
- Support across the vulnerability lifecycle – Bounties will be divided between hackers and maintainers via an 80/20 bounty split. Since open source software maintainers volunteer to help remediate vulnerabilities that are discovered, the bounty split ensures payment for every stakeholder that contributes to vulnerability management.
- Simplified vulnerability submission – A consolidated submission flow and dedicated HackerOne support team will improve the hacker experience.
Alex Rice, CTO and co-founder of HackerOne said,
“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open-source software represents a growing portion of the world’s critical supply chain attack surfaces. The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building more secure digital infrastructure for everyone.”